Text4shell: Apache Commons Text RCE via insecure interpolation
Description
Apache Commons Text is a Java library that provides string manipulation utilities, including variable interpolation through the StringSubstitutor class. Versions prior to 1.10.0 contain a critical remote code execution (RCE) vulnerability known as Text4shell. When untrusted user input is processed by the StringSubstitutor interpolator, attackers can exploit insecure default configurations to execute arbitrary code on the server. This occurs because the library evaluates special lookup expressions within interpolated strings without proper sanitization.
Remediation
Immediately upgrade Apache Commons Text to version 1.10.0 or later, which disables the vulnerable interpolation lookups by default. Update your dependency management configuration as follows:
For Maven, update your pom.xml:
<dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-text</artifactId> <version>1.10.0</version> </dependency>
For Gradle, update your build.gradle:
implementation 'org.apache.commons:commons-text:1.10.0'
If immediate upgrading is not possible, implement input validation to reject any user input containing interpolation syntax patterns such as
${. Additionally, avoid passing untrusted input directly to StringSubstitutor methods. After upgrading, verify that no application code relies on the previously enabled script, DNS, or URL lookups, as these are now disabled by default.